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Abstract 

The plummeting cost of Bluetooth tags and the ubiquity of mobile devices are revolutionizing 
the traditional lost-and-found service. This paper presents SecureFind, a secure and privacy-preserving 
object-finding system via mobile crowdsourcing. In SecureFind, a unique Bluetooth tag is attached to 
every valuable object, and the owner of a lost object submits an object-finding request to many mobile 
users via the SecureFind service provider. Each mobile user involved searches his vicinity for the lost 
object on behalf of the object owner who can infer the location of his lost object based on the responses 
from mobile users. SecureFind is designed to ensure strong object security such that only the object 
owner can discover the location of his lost object as well as offering strong location privacy to mobile 
users involved. The high efficacy and efficiency of SecureFind are confirmed by extensive simulations. 

Index Terms 

Crowdsourcing, Security, Privacy, Missing-tag detection, RFID 

I. Introduction 

The loss and recovery of physical objects, is a significant issue around the world. Here an 
object can refer to anything valuable such as personal assets, children, elderly with dementia, and 
pets. For example, about 800,000 US children are reported lost each year 0. 113 cell phones 
are lost/stolen every minute in the US [2j, and 19,000 items are lost every year by New York 
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subway and bus riders [[2]. The predominant method for recovering lost objects is through a 
lost-and-found place, where lost objects are turned in and returned to their owners with proper 
identification. Many (if not most) lost objects, however, may not be found or turned in, and the 
object owner may not know which of the possibly many lost-and-found places he should resort 
to. The recovery rate for lost objects is thus very low. For instance, University of California 
Police reported only 19.3% of lost items recovered [2j. In addition, the recovery latency of this 
traditional method may be too long to be useful. As an example, by the time a lost object is 
found and turned in to an airport office, the object owner may have departed to a different city 
or country. 

The plummeting cost and ultra-low energy consumption of Bluetooth tags make them very 
promising to revolutionize the lost-and-found service. In contrast to RFID tags, Bluetooth tags 
can directly communicate with any mobile device with a Bluetooth tag or interface within a long 
communication range up to 160 ft. Besides, Bluetooth tags can be used continuously for one 
year without changing the battery (3J, [4j by adopting the Bluetooth Low Energy (Bluetooth LE) 
technique, and they only cost several dollars which are often negligible in comparison with the 
value of lost objects. In the lost-and-found context, a cheap and miniature Bluetooth tag can be 
attached to every valuable object and contain its owner’s identification information. Once finding 
his object missing, the owner can use his mobile device to search for the corresponding tag. If 
the tag gets queried, it can report its location or sound an alert to be located. There are growing 
commercial Bluetooth-based products for locating personal assets, such as Tile |3j, BlueBee 
and StickNFind 0. These attractive products, however, often require that a lost object be 
sufficiently close to the searching device. For example, BlueBee tags |5) and StickNFind tags [4| 
support up to 160 ft and 100 ft, respectively. This inherent range limitation makes it infeasible 
to recover the lost objects far away from their owners. 

A promising solution to overcoming the above range limitation is via mobile crowdsourcing, 
which refers to the practice of obtaining needed services or data by soliciting contributions 
from many mobile users. The emergence of mobile crowdsourcing is driven by the skyrocketing 
growth of mobile devices. For example, the number of mobile-connected devices would exceed 
the world population in 2013 and hit 10 billion in 2016 f6]. Ubiquitous mobile devices can 
jointly sense and interact with the physical world at an unprecedented scale, thus enabling many 
otherwise infeasible applications 0-0- One can imagine a service provider offering the object- 
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finding service. An object owner submits an object-finding request as a tag query to the service 
provider, which in turn forwards the query to selected mobile users referred to as mobile detectors 
hereafter. Every detector then locally broadcasts the query. The tag on the lost object responds 
to any such query, and the corresponding detector finally sends the tag response and his own 
location via the service provider to the object owner. Every mobile detector can be rewarded at 
a fixed rate or in commensurate with the object value. Although the object owner may have to 
pay for the service, he can recover his valuable object with overwhelming probability. 

Crowdsourcing the lost-and-found service faces some great challenges. First, the object in 
search may be of high value so that the mobile detector discovering it may want to keep it instead 
of reporting its whereabout to the service provider. Thus we need to alleviate the security concerns 
of the owners about their lost objects. Second, mobile users may be unwilling to disclose their 
locations which may indicate too much personal information. Therefore, we must protect the 
location privacy of mobile users to stimulate their participation in the lost-and-found system. Last, 
both Bluetooth tags and mobile devices are resource-constrained, so the object-finding process 
should be very efficient in computation and communication, especially for energy-constrained 
mobile detectors [38). Although some companies such as Tile [3) and BlueBee [5) are offering 
the crowdsourced lost-and-found service, they ensure neither object security nor location privacy 
of involved mobile detectors. 

This paper presents SecureFind, a crowdsourced object-finding system that offers strong object 
security to the object owner and also strong location privacy to mobile detectors. The essential 
idea in SecureFind is to let some mobile detectors generate dummy tag responses which are 
indistinguishable from the real tag response in the eye of the service provider and other mobile 
detectors. Only the object owner can identify the real tag response, so strong object security can 
be ensured. In addition, the location of each mobile detector discovering the lost object is kept 
from the service provider and only disclosed to the object owner under a dynamic pseudonym. 
So the location privacy of mobile detectors can be well guaranteed. 

Our contributions are mainly threefold. First, we are the first to formulate secure and privacy¬ 
preserving object finding via mobile crowdsourcing to the best of our knowledge. Second, we 
propose two solutions to this problem. The basic scheme provides strong object security at 
the cost of low efficiency. In contrast, the advanced scheme seeks to achieve a middle ground 
among object security, location privacy, and energy efficiency. Finally, we thoroughly evaluate 
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the performance of our schemes by theoretical analysis and extensive simulations. 


II. Preliminaries 

A. System Model 

We assume a SecureFind service provider offering the object-finding service via mobile 
crowdsourcing. The service provider fulfils every object-finding request through a number of 
mobile users referred to as mobile detectors hereafter. Every detector has a mobile device such 
as a smartphone or tablet to communicate with the service provider and also nearby Bluetooth 
tags. Almost all mobile devices are having the Bluetooth functionality, and it has been shown 


in 101 that Bluetooth devices can communicate with each other without explicitly establishing 
a connection. In addition, nearby mobile detectors can communicate via WiFi-direct, LTE-A, 
or other available Device-to-Device (D2D) technologies which are widely used in many other 


applications [ 10] , [22J, [|23|. 

An object owner refers to a person who lost a valuable object. We assume that the lost object 
is attached with a Bluetooth tag hard to remove without breaking the object and use “lost tag” 
and “lost object” interchangeably henceforth. A Bluetooth tag is a small piece of device with an 
on-board battery, which can perform simple computation and communicate with nearby mobile 
devices via Bluetooth. Several off-the-shelf Bluetooth tags are currently commercially available 
for personal asset tracking, such as Tile [3], StickNFind [4j, and BlueBee [5] tags. The cost of a 
Bluetooth tag is currently around a few dollars [3] and is plummeting due to rapid technological 
advance and growing market demand. It is thus reasonable to assume that every high-value object 
will be attached with a Bluetooth tag to enable object finding in the near future. Moreover, we 
assume that every tag i has a unique ID IDi known only to its owner. 

The object-finding service in SecureFind works as follows. Assume that the object owner 
knows that his lost object is likely in a possibly large target area , e.g., lower Manhattan. He 
submits to the service provider an object-finding request containing some information about the 
lost tag and also the target area. The service provider then forwards the object-finding request 
to all mobile detectors in the target area, each of which in turn locally broadcasts the request. 
The lost tag responds to any object-finding request intended for it. Every detector hearing a 
tag response forwards it and his own location via the server to the object owner. Based on the 
tag responses, the object owner can derive an approximate location (area) of his lost object, 
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e.g., by multilateral triangulation. Finally, the object owner can go to the derived location and 
send a tag query in person, in which case the lost tag can respond with its GPS location like a 
SticknFind tag [4] or sound an alert like a Tile [j3] or BlueBee (J5j tag. During this process, the 
object owner may initiate multiple requests to keep track of the dynamic locations of his lost 
tag (object) which may be carried and in motion. All the system operations are automatically 
executed without user involvement through an SecureFind app installed on each mobile device. 

Sound incentives must be provided to all the involved parties to materialize SecureFind. The 
service provider can either charge the object owner at a rate commensurate with the object value, 
and it may also provide free services and profit by web advertisement when its service goes 
very popular. Every mobile detector can be rewarded either at a fixed rate or in accordance with 
the object value. Such rewarding mechanisms as perks or badges have been proved to be very 
successful in soliciting mobile users for crowdsourcing applications like Foursquare. The object 
owner may need to pay for the service, but he will be able to quickly recover his lost object 
of high value. Here we assume the existence of such incentive mechanisms and refer readers to 
existing rich literature such as [IF], p~2| for incentive design for mobile crowdsourcing. 


B. Adversary Model 


We assume that the service provider is honest-but-curious (HBC) [13], which is a widely 
adopted assumption for rational service providers. In particular, the service provider is trusted to 
faithfully follow the protocol execution, but it may have interest in the location of the lost object 
and also the locations of mobile detectors. In addition, the service provider does not collude 
with any object owner or mobile detector. 

Mobile detectors are curious and also location-sensitive. By curious, we mean that mobile 
detectors try to locate the lost object and take it away prior to the object owner’s arrival. To 
do so, mobile detectors may attempt to infer whether the lost object is in their vicinity from 
the information they receive during protocol execution. By location-sensitive, we mean that 
mobile detectors do not want any party (including the server) to know their accurate locations 
or equivalently linking their accurate locations to their real IDs. 

How to deal with other possible attacks on SecureFind is beyond the scope of this paper. 
For example, an attacker may jam all radio transmissions, replay intercepted messages, and/or 
inject bogus messages. Such denial-of-service attacks can target any wireless/mobile system 



6 


like SecureFind and can be mitigated by existing anti-jamming communication techniques and 
message authentication. 

C. Design Objectives 

We have the following major design objectives. 

. Correctness : The object owner should be able to obtain an approximate location of the lost 
object. 

. Object security. The location of the lost object should be known to the object owner only. 

• Location privacy: The mapping between the real ID and location of every mobile detector 
should be kept from any other party. 

• Efficiency: The object-finding process should incur low communication and computation 
overhead. 


D. Framed Slotted ALOHA Protocol 

Our schemes depend on Framed Slotted ALOHA, which is a popular anti-collision MAC 


protocol adopted by many RFID systems 14)—[ 161, [20], [211. Since Bluetooth tag is much 


more powerful than RFID tag, it is reasonable to assume that Bluetooth tag can support Framed 
Slotted ALOHA with minimal modification. In SecureFind, Framed Slotted ALOHA is executed 
between one mobile detector and a number of nearby Bluetooth tags and works as follows. First, 
the mobile detector broadcasts a request with two parameters (r, /), where r is a random number, 
and / is the number of time slots in one frame where the / slots are numbered from 0 to / — 1. 
Upon receiving the request (r, /), each tag i responds in slot h(ID,\\ij mod /, where / D, 
denotes the unique ID of tag i, and //(•) denotes a publicly known hash function. Each of the 
/ time slots can then be an empty slot without any tag response, a singleton slot with a single 
tag response, or a collision slot with more than one tag responses. 

III. Related Work 


Several schemes have been proposed for tracking and locating lost objects. AutoWitness [241 


is a personal asset tracking system that uses an embedded tag with inertial sensor to estimate 
asset’s position change and proactively transmit trajectory data to an external server via cellular 
link to facilitate asset retrieval. In contrast, SecureFind depends on low-cost Bluetooth tags 
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without any inertial sensor or cellular communication capabilities, thus more suitable for wide 


adoption. Moreover, Sherlock [25] is a system designed to localize objects with embedded RFID 
tags in some closed space, which cannot be applied to find lost object in outdoor and is thus 
orthogonal to SecureFind. 

Recent years have witnessed significant research on missing-tag detection [14], (B), GD-ng, 


126 ]—[ 29 [ and identification [16J, [30J, [3JJ in RFID systems. This line of work aims to quickly 
detect whether or which tags are missing in a large RFID system, while SecureFind targets a 
totally different problem. In particular, a lost tag in SecureFind is a tag lost by its owner but still 
in the SecureFind service provider’s service region, and SecureFind aims to determine which 
mobile detector has the lost tag in his coverage in order to locate and retrieve the lost object 
without revealing such information to either the mobile detector or service provider. In contrast, 
a missing tag in 0 -||T9|, [26]-[[3T] means a tag taken away from the monitored area, and 
the goal there is to determine if any tag is missing. Therefore, existing missing-tag detection 
schemes are inapplicable to our problem. 

Also related is the line of work on privacy-preserving tag identification and authentication in 


RFID systems, e.g., [32]—[37]. These schemes allow efficient identification and authentication 
of an RFID tag without disclosing any information that can be used to uniquely identify the 
tag. All the RFID tags belong to the same administrator, and there is no attempt to hide the 
locations of the RFID tags from the administrator. In contrast, each Bluetooth tag in SecureFind 
belongs to the corresponding object owner, and its location should be protected from the service 
provider as well. Therefore, SecureFind differs significantly from these schemes in its aim and 
scope. 


IV. A Basic Scheme 

In this section, we present a basic scheme for secure and privacy-preserving object finding. 
The essential idea is to let some mobile detectors in the target area act as dummy tags to send 
dummy tag responses for concealing the real tag response. Since the mobile detectors near the 
lost object cannot differentiate between real and dummy tag responses, the security of the lost 
object can be well protected. The major design challenge here is how to let the object owner 
discover the mobile detectors close to his lost object without drawing the attention of these 
mobile detectors or the service provider. 














We propose an iterative multi-round protocol as a solution. In each round, each mobile detector 


executes the Framed Slotted ALOHA protocol in Section II-D and forwards the execution result 
to the object owner via the service provider. The object owner then excludes some mobile 
detectors who are unlikely near his lost object according to their execution results. The protocol 
completes when no more mobile detectors can be excluded. Finally, the object owner retrieves 
the locations of the remaining mobile detectors from the server provider using some specific 
cryptographic technique and then infer the location of his lost object. Our scheme ensures that 
neither the service provider nor the remaining mobile detectors can leam the location of the lost 
object. 


A. Scheme Description 

First, the object owner submits an object-finding request {H(ID\\r),r,PK) and the target 
area to the service provider, where ID denotes the ID of the lost tag, r is a random seed, H (•) 
denotes a publicly known cryptographic hash function, and PK is the object owner’s public 
key. We can also replace PK with a public-key certificate to prevent the service provider from 
changing PK to its own choice. We assume that the service provider knows the physical zone 
each mobile detector resides but not his accurate location. Upon receiving the request, the service 
provider forwards the request to all the mobile detectors in the target area, each of which then 
locally broadcasts a tag query (H(ID\\r),r). Here we assume a suitable MAC protocol to resolve 
potential collisions among mobile detectors; e.g., each mobile detector can wait for some random 
time before sending the tag query. Every tag seeing such a tag query can check whether it is the 
intended tag by comparing the hash over its ID and r with the received one, and only the lost tag 
gets prepared to respond. In addition, each mobile detector returns his location encrypted with 
PK to the service provider so that the service provider cannot figure out his accurate location. 
The service provider temporarily buffers these encrypted locations. 

The object owner then initiates a polling phase consisting of multiple rounds. Consider round 
x > 1 as an example. The object owner sends a polling request (r x , f) via the service provider 
to each mobile detector, where / denotes the frame length as a fixed system parameter, and r x 
is a fresh random seed. Every detector i then locally broadcasts (r x ,f). Every other detector 
hearing the polling request from detector i chooses himself as a dummy tag with probability 
q, which is a tunable system parameter given by the service provider. Each dummy tag j also 
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generates a random pseudonym IDj. Let T, : l denote a set of tags comprising all the dummy tags 
near detector i and also the lost tag if it hears the polling request from detector i as well. Let 
hi(-),..., hk(-) be k publicly known hash functions, where k is a system parameter. Every tag 
j e Trj computes k slots to reply, where the nth slot is computed as s“ = h a (IDj\\r x ) mod / 
for all a E [1 ,k\. During the execution of Framed Slotted ALOHA, every tag j sends a one-bit 
short response in each of its k computed slots. In the end of round x, detector i obtains a bit 
vector V, )X = (v i)a .[0],... , v Lx [f - 1]), where v xx [y\ = 0 if slot y is an empty slot and v hX [y\ = 1 
otherwise. Note that here we do not differentiate between singleton and collision slots, which 
would require each tag to reply a long multi-bit response and thus incur higher communication 
overhead. Then detector i sends its bit vector M ix to the object owner via the server. 

Assuming that there are totally C mobile detectors in the target area, the object owner receives 
C bit vectors in round x. He then checks if any mobile detector can be excluded, which 

is certainly not in the transmission range of his lost tag. To do so, the object owner maintains a 
candidate detector set. Let C x be the candidate detector set at the beginning of round x, where 
C\ = { 1 ,.. ., C}. For each detector i E C x , the object owners checks if at least one of the bit 
positions (or slots) {h a (ID\\r x ) mod /}£ =1 in \/ l>x is zero (or empty), where ID is the ID 
of his lost tag. If so, the lost tag is certainly not around detector i, and no dummy tag replied 
in that slot either. So detector i can be safely removed from C x . The object owner terminates 
the polling phase if the number of candidate detectors drops to one or remains unchanged after 
r > 2 polling rounds, where r is a system parameter. The latter case occurs when the lost 
tag lies in the coverage of multiple detectors. Also note that the candidate detector set remains 
confidential to the object owner, and all the C mobile detectors need to broadcast the polling 
request and process the responses in each round of the polling phase even if some of them may 
have been confidentially excluded by the object owner. 

Once the polling phase is over, the object owner retrieves the encrypted locations of the 
remaining candidate detectors from the service provider. Finally, he can derive an approximate 
range for his lost object based on the decrypted detector locations. We can see that the service 
provider will know which mobile detectors are not excluded. Since the service provider knows 
the physical zone each mobile detector resides (instead of his real location), it can deduce that 
the lost object is in one of the physical zones of the remaining detectors. There are two ways to 
alleviate this security concern. First, the object owner can request the encrypted locations of c > 1 
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detectors that include both the remaining detectors and some excluded detectors to confuse the 
service provider. Second, the object owner can execute an efficient Private-Information-Retrieval 


protocol [39] to retrieve the encrypted locations of the remaining candidate detectors without 
revealing whose locations are retrieved. 


B. Performance Analysis 

Now we analyze the performance of the basic scheme. 

Correctness. The basic scheme can guarantee that the object owner obtains an approximate 
location for his lost object as long as it is within the transmission range of at least one mobile 
detector. Assume that there are totally N mobile users in a region of area S. Also suppose 
that the number of mobile detectors in any subregion of area s, denoted by X(s), follows a 

homogeneous spatial Poisson process with intensity N/S: Pr(X(s) = k) = ^ Ns ^ S \\ -— ■ Let 

R denote the transmission range of the lost tag and also mobile detectors. It is easy to see that 
the basic scheme is correct with probability 1 — Pr(X(7r.R 2 ) = 0) = 1 — e ~' nNR2 / s , 

In addition, the basic scheme may incur false positives, which occur when the lost object is not 
close to any mobile detector (i.e., the given target area is wrong), but some dummy tags happen 
to respond just like the lost tag in each round of the polling phase. The object owner thus will 
be misled to wrong locations. We can estimate the false-positive probability as follows. Consider 
any of the C detectors in the target area, say detector i, which has on average c = [ttNR 2 /S\ 
other mobile detectors in his transmission range and does not have the lost tag ID there. Since 
each mobile detector acts as a dummy tag with probability q, there are totally cq dummy tags 
in detector i’s coverage. Recall that the lost tag needs to respond in slots {s“ x = h a (IDj\\r x ) 
mod f}a=i in round x if hearing a polling request. Assume that the output of every hash function 
is uniformly distributed in [0, / — 1]. Then the average number of distinct slots the lost tag needs 
to respond is given by 

k (f) 

t* = 'E lxS w- a) 

l=i J 

As said, each dummy tag also responds in up to k slots uniformly distributed in [1,/]. The 
probability that no dummy tag responds in a particular slot of the lost tag is given by (1 — 1 / f) kqc . 
For detector i to stay in the object owner’s candidate detector set in round x, at least one 
dummy tag needs to respond in each of the /i distinct slots, which occurs with probability 
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Pone = (l — (1 — l/f) kqc Y . Assume that the polling phase terminates in t rounds. For the false 
positive to occur, at least one detector needs to survive all the t rounds, which occurs with 
probability 1 — (1 — pi ne ) c . 

Object Security. The basic scheme offers strong object security. In particular, the information 
the service provider can obtain during object finding includes the initial object-finding request 
(H(ID\\r), r, PK), the polling results in each round, and from which candidate detectors the 
object owner requested the location. Since the service provider knows neither ID of the lost tag 
nor the random pseudonym of each dummy tag, he cannot directly infer which detectors have 
the lost tag in their coverage from the polling results besides knowing that one of the detectors 
for which the object owner requested the locations does. 

Can the service provider do better? To make quantitative analysis possible, we assume that 
the average number of tags in each detector’s communication range are the same, e.g., cq. Under 
this assumption, the detector with the lost tag in its coverage may observe slightly more non¬ 
empty slots than those without during the polling phase. In particular, each detector covering the 
lost tag, called a real detector hereafter, observes a non-empty slot in each slot with probability 
Pi = 1 — (1 — l/f ) (cq ~ l,k . whereas each detector not covering the lost tag, called a fake detector 
hereafter, does so with probability p[ = 1 — (1 — 1 / f) cqk . Although this is only a rough estimate 
because the number of dummy tags around each mobile detector are most likely different, the 
service provider may still try to gain some information from the polling results by ranking all 
the detectors according to the numbers of bit ones in their reported vectors. More specifically, 
the higher the rank of a detector (i.e., the more bit ones in reported vectors), the more likely 
the detector is a real one, and vice versa. 

Now we analyze the probability distribution of the real detector’s rank. Consider a real detector 
i and a fake detector j in round x as an example. Denote by b, and bj the numbers of bit-one 
positions in their reported vectors V i T and V. / r , respectively. Let u = min(/, (cq + 1 )k) and 
u' = min(/, cqk). The probability that detector i has more bit-one positions than detector j is 
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given by 


Pm ^ ) 


= Pr(6i > z) • Pr(6j = z) 


z =0 


w' u 


( 2 ) 


= EE PKSi = *') • Pr(6j = *) 

Z=1 Z. , = Z. 


Z= 1 z'=z 



For simplicity, assume that there is only one real detector. The p.d.f. of real detector’s rank 
is then given by 



(3) 


We can see from Eqs. ([2]) and ([3]) that if the number of dummy tags (i.e., cq) is large, p 1 is very 


close to p\. This means that the real detector will be ranked in the middle of all the detectors 


with high probability, and the object security can thus be guaranteed. 

In addition, neither true or fake mobile detectors can distinguish the responses from the lost 
tag and from dummy tags and thus cannot determine whether the lost tag is in its vicinity. 

Location Privacy. The basic scheme offers strong location privacy to mobile detectors. Specif¬ 
ically, each mobile detector can report a physical zone encompassing his location instead of his 
real location to the service provider to participate in SecureFind. Therefore, the service provider 
cannot get the accurate location of any detector. Even if the location of every responding detector 
is disclosed to the object owner, we can hide the real ID of the detector from the object owner 
by letting the service provider replace the real ID with a dynamic pseudonym. Since the objector 
owner does not collude with the service provider per our adversary model, the location privacy 
of every mobile detector is well preserved. 

Efficiency. To analyze the communication overhead of the basic scheme, we first derive the 
expected number t of polling rounds. For any mobile detector not covering the lost tag, the 
object owner excludes it from the candidate detector set with probability 


Pe = 1 " Pi 


one 


i _ (i _ (i _ i /f)«*y , 
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where /j is given in Eq. O- So the object owner can exclude p e fraction of the remaining 
candidate detectors after each polling round. Assume that the number of candidate detectors 
drops to one after t rounds. Then we have Cpl = 1 and thus 

t = L^Spe • ( 4 ) 

Each mobile detector sends its encrypted location to the service provider at the beginning, and 
he also broadcasts a polling request and sends a /-bit vector to the service provider in each 
polling round. In addition, since each tag needs to reply k one-bit responses in each round, 
the total communication overhead incurred by tag responses is about cktC bits. Moreover, the 
object owner sends one object-finding request and t polling messages. Finally, the object owner 
retrieves A encrypted detector locations from the service provider. 

As for the computation overhead, each tag (dummy or lost) needs k efficient hash operations 
in each polling round, leading to cktC hash operations in total. Moreover, each mobile detector 
performs one public-key encryption, and the object owner needs to carry out one public-key 
decryption for each non-excluded mobile detector. The most expensive public-key encryptions 
and decryptions can be done very efficiently on current mobile devices. For example, for the 
standard Elliptic Curve Integrated Encryption Scheme (ECIES), one point multiplication and 
two point multiplications are needed for one decryption and one encryption, respectively, and a 
point multiplication takes less than 7.3 ms on an Android Galaxy Nexus smartphone p0| . 

V. An Advanced Scheme: Selected Polling 

The basic scheme provides strong object security. However, in each polling round, each mobile 
detector needs to send an /-bit vector to the service provider which incurs large communication 
overhead and low efficiency. In this section, we present an advanced scheme to strike a middle 
ground between object security and system efficiency. 

A. Basic Idea 

The advanced scheme stems from an observation about the basic scheme. Specifically, the 
response from every detector in each polling round is an /-bit vector. The object owner excludes 
some candidate detectors in each round x by checking the bit values at k positions (s" x = 
h a (I Dj\\r x ) mod /}* =1 , which we refer to as real positions. There are at most k real positions 
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because some modular hash values may be the same. Accordingly, we refer to the rest no less 
than f — k bit positions as dummy positions. The dummy positions can effectively hide the real 
positions so that the detector with the lost object in its coverage cannot tell. The efficiency can 
be improved if fewer dummy positions are used in each polling round, and the accompanying 
cost is that real positions will have a higher chance of exposure. 

The advanced scheme implements the above thinking by letting the object owner selectively 
poll fewer than / bit positions in each round, among which the fraction of real positions is 
adjusted based on the results in previous polling rounds. Intuitively, the more real positions 
polled in each round, the fewer polling rounds needed to locate the lost tag, the lower the 
communication and computation overhead, the higher chance of exposing the lost tag, and vice 
versa. The challenge is how to characterize the exposure of the lost tag and then properly adjust 
the fraction of real positions. 

What is the impact of polling fewer dummy positions on object security? Consider an arbitrary 
mobile detector, say i. If detector i has the lost tag in his coverage, he is more likely to observe 
more non-empty slots than other detectors not covering the lost tag. More specifically, assume 
that the object owner queries u out of / bit positions, which consists of 7 > 1 real positions 
and u) — 7 dummy positions. Recall that each detector on average has c = [nR 2 N/S\ other 
detectors in his coverage, each acting as a dummy tag with probability q. If detector i covers 
the lost tag, the probability that a randomly queried bit position having a one (or equivalently 
the corresponding slot is busy) can be estimated as 


u — 7 7 

‘ -- + - 

U CO 


Pi = (!_(! _!//)=»»). 

LU i 

= 1 - (1 - 1 /f) cqk + (1 - 1 /f) cqk - 


(5) 


u 


If the lost tag is outside detector V s coverage, the above probability is pj = 1 — (1 — 1/f) cqk . 
It is easy to see that p\ < p\ for 7 > 1. As we normally have 7 /c 0 > k/f, the gap between 
Pi and p\ becomes more noticeable in the advanced scheme, leading to lower object security. 
In addition, the larger 7 , the more quickly the object owner ruling out the candidate detectors 
not covering the lost object, the fewer polling rounds needed, the larger the probability gap, the 
lower object security, and verse versa. 

To strike a balance between object security and system efficiency, we let the object owner 
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maximize the number of real positions in each polling round as long as the polling result (i.e., the 
o;-bit vector) observed by the detector covering the lost object is statistically indistinguishable 
from the one observed by a detector not covering the lost tag. More specifically, let the null 
hypothesis be that the obit vector obtained by a detector is generated from the binomial 
distribution B(u,p\), i.e., the theoretical distribution. We can then test the hypothesis using 
Pearson’s chi-squared test [41] with the test statistics given by 

2 (Pob - Pi) 2 , ((1 - Pob) - (1 - Pi )) 2 
X =-7-+-n-M-’ (6 ) 

Pi (1-Pi) 

where p Q b is the observed frequency of bit ones, and p[ = 1 — (1 — 1 /f) cqk is the theoretical 
frequency. Finally, we can compute a p-value from ;\; 2 using the chi-squared distribution for 
one degree of freedom, which gives us the probability of observing such difference if the obit 
vector is generated from B(u,p\). 

B. Scheme Description 

The pre-polling phase of the advanced scheme is exactly the same as that of the basic scheme, 
so we do not repeat it here for lack of space. 

As in the basic scheme, the polling phase in the advanced scheme also consists of multiple 
rounds. Consider round x > 1 as an example. The object owner sends a polling request 
{r x ,f, d^o, • ■ ■, d^-i) via the service provider to each mobile detector, where / denotes the 
frame length as a fixed system parameter, r x is a fresh random seed, and 0 < d x0 < d,. , < 
• • • < d XXJ - | < / — 1 are the u bit positions that the object owner intends to poll in round x. 
These u bit positions include y x real and u — y x dummy positions, and how to choose them 
will be discussed shortly. Every detector i then locally broadcasts (r x , /, d 0 ,..., d XjW _i). Every 
other detector hearing the polling request from detector i chooses himself as a dummy tag with 
probability q which is a system parameter. Let 'T r: l denote the set of tags comprising all the 
dummy tags near detector i and also the lost tag if it is covered by detector i. The Framed 
Slotted ALOHA protocol is still used to collect tag responses. Every tag j e T x ,% computes k 
candidate slots to reply, where the oth slot is computed as s“ x = h a (IDj\\r x ) mod /. Then for 
each d x>y , y E [0,cu — 1], tag j checks if d x _ y = s^ x for some a. If so, tag j knows that it should 
reply a one-bit response in slot y and keeps silent otherwise. In the end of round x, detector i 
obtains a cc-bit vector W, rX = (w i)X [0 ],..., w iiX [o; — 1]), where w ijX [y] = 0 if slot y is an empty 
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slot and \N itX [y\ = 1 otherwise. Then detector i sends W, x to the object owner via the service 
provider. 

Given totally C mobile detectors in the target area, the object owner receives {W^}^ in 
round x. As in the basic scheme, he maintains a set of candidate detectors which initially contain 
all the C detectors. After receiving the object owner eliminates all the detectors from 

the candidate set C x with each having at least one zero at the y x real positions in his polling 
result. The polling phase stops when the number of candidate detectors drops to one or remains 
unchanged after r > 2 rounds, where r is a system parameter. 

After the polling phase, the object owner retrieves the encrypted locations of A > 1 detectors 
that include both the remaining detectors and some excluded detectors from the service provider. 
Finally, he can derive an approximate range for his lost object based on the decrypted detector 
locations as in the basic scheme. 

C. Choosing Polling Positions 

Now we discuss how to choose the u x polling positions {d. XJ }‘p 0 1 in each round x. 

The first step is to determine ^ x , the number of real positions in round x. We propose to 
derive 7 x based on the C polling results received in all previous rounds such that the expected 
polling results in round x are statistically indistinguishable from the results generated from the 
theoretical binomial distribution B(upp'^). In particular, recall that C x denote the set of remaining 
candidate detectors at the beginning of round x. Let 6 i)X _i be the number of bit ones in W, x _ 1 
for all i e C x , where we set 6 ij0 = [(1 — (1 — 1/f) cqk )u\. As discussed, the probability of any 
bit position in W l x being one for any detector 1 G C x not covering the lost object can be derived 
as p l .\ = 1 — (1 — 1 /f ) cqk . Then the object owner tries to find 7 Xji for each detector i e C x , the 
largest number of real positions can be polled in round x, if detector i covers the lost tag. To 
do so, the object owner initially set 7 Xi , : = 0. According to Eq. ([5]), the probability of any bit 
position in W 8iX being one if detector i covers the lost tag is 

A,. = a - a - i//r‘) ■ ^. 

UJ £ jJ 

He then computes the expected fraction of bit ones in V\l, i x _ ] | |W i X as p ob = the 

corresponding test statistics x 2 , and finally the p-value (denoted by p va i,i). If p V ai,i > Pthre, where 
Pthre is the threshold chosen by the object owner, he increases 7 X}i by one and repeats the above 
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process until find the largest possible < k. Finally, he chooses 7 X as the minimum among 
{ 7 i|z G C x }. After determining 7 X , the object owner then constructs q X]0; ■ ■ ■ • q x ,w-i by randomly 
choosing y x real positions from {s ^ x }^ =1 and lu — 7 dummy positions. The above process is 
summarized in Algorithm |T[ 


Algorithm 1 : Computing y x for round x 


input : Bit vectors {b iiX -i\i G C :r }, frame length /, p-value threshold p thri 
output: 7 ' x : the number of real positions in round x 
lx i — min(/c, qj); 

foreach 1 G C x do 

G:r. 1 ^ 0 1 Pval,i ^ 1 > 

Pi,i <— 1 - (1 - i//) C9fc ; 

while Pval,i Pthre 

<-(i-(i- i//) CI ‘) • 7* + S; 


Pob 




2 __ (Pob-Pi,lF , ((l-Pob)-(l-Pi,l)) 2 ■ 

^ Pi, 1 (1-Pi,l) ’ 

Update p val j according to 7 2 based on chi-square distribution; 


if Pval,® '■ > Pthre then 
| 1x,i ^ lx,i T 1> 

else 

| Te,® ^ lx.i 1 > 


if 7*,t < lx then 

|_ lx 4 lx,ii 


return 7^; 


D. Performance Analysis 

The advanced scheme is correct with the same overwhelming probability and offers the same 
level of strong location privacy to mobile detectors as the basic scheme. 

Object Security. Similar to that in the basic scheme, the service provider may rank the detectors 
based on the number of bit ones in their reported vectors. Since we normally have 7 /ce > k/ f, the 
gap between 77 and p\ is more noticeable in the advanced scheme than that in the basic scheme. 
We thus expect that the advanced scheme offers lower object security than the basic scheme 
does. Since the number of real positions queried in each polling round is jointly determined by 












rank 


18 




(a) Normalized rank (bj Tag-comm. overhead 




(c) Tag-comp, overhead (d) Detector-comm. overhead 


Fig. 1. Impact of p t hre, where BS and AS stand for the basic and advanced schemes, respectively. 


the previous polling results and pthre, we have not been able to derive the rank distribution of 


the real detector. Instead, we evaluate the object security of the advanced scheme in Section VI 


Efficiency. The communication overhead of the advanced scheme depends on the number of 
polling rounds. Each mobile detector sends its encrypted location to the service provider at 
the beginning, and he also broadcasts a polling request and sends a w-bit vector to the service 
provider in each polling round. In addition, each tag needs to reply ku/f one-bit responses 
on average in each round, so the total communication overhead incurred by tag response is 
about ckutC/f bits. Moreover, the object owner sends one object-finding request and t polling 
messages. Finally, the object owner retrieves A encrypted detector locations from the service 
provider. 

As for the computation overhead, each tag (dummy or lost) needs k efficient hash operations in 
each polling round, leading to cktC hash operations in total. Because the number of polled real 
positions in the advanced scheme is smaller than that in the basic scheme, the number of polling 
rounds is also larger in the advanced scheme, resulting in more hash operations and thus larger 
tag computation overhead. Moreover, each mobile detector performs one public-key encryption, 
and the object owner needs to carry out one public-key decryption for each non-excluded mobile 
detector. As said, such public-key encryptions and decryptions can be efficiently done on modern 
mobile devices. 

Again, since the number of polling rounds is jointly determined by the previous polling 
results and p thre , we have not been able to derive a closed-form result for the communication and 
computation overhead of the advanced scheme, which is evaluated via simulations in Section [VTj 
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(a) Normalized rank 
Fig. 2. Impact of k. 



(bj Tag-comm. overhead 



(c) Tag-comp, overhead 



(d) Detector-comm. overhead 


TABLE I 

Default Simulation Settings 


Para. 

Value 

Meaning 

C 

10000 

The number of mobile detectors 

q 

0.9 

The probability of acting as dummy tag 

f 

300 

The frame length in Frame Slotted ALOHA 

k 

10 

The number of hash functions 

UJ 

15 

The number of polled positions 


VI. Performance Evaluation 

In this section, we evaluate the proposed schemes using extensive simulations. We consider 
a square region with a side length of 2,000m, in which 10,000 mobile detectors are distributed 
uniformly, each acting as a dummy tag with probability q = 0.9. The transmission ranges of 
mobile detectors and the lost tag are both 50 m. For our purpose, the simulation code is written 
in Java, and each data point represents an average of 100 simulation runs each with a different 
random seed. Table [I] summarizes our default simulation parameters if not mentioned otherwise. 

Since the basic and advanced schemes can both offer mobile detectors’ strong location privacy 
and also ensure that the lost object is recoverable almost for sure in all our simulations, our 
subsequent evaluation focuses on object security, communication overhead, and computation 
overhead. We assume that the following strategy is adopted by the service provider. On receiving 
the polling results from all the detectors, the service provider runs the Pearson’s chi-squared test 
as the owner does in the advanced scheme and computes a p -value for each detector. The service 
provider then ranks all the detectors based on their p-values. The lower the p-value of a detector, 
the more likely that the lost tag is in his coverage. We then use the relative rank of the detector 
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(a) Normalized rank (bj Tag-comm. overhead 

Fig. 3. Impact of /. 



(c) Tag-comp, overhead 



(d) Detector-comm. overhead 




(a) Normalized rank (b) Tag-comm. overhead 

Fig. 4. Impact of cj . 




(c) Tag-comp, overhead (d) Detector-comm. overhead 


covering the lost tag to measure the security of the lost object. If the lost tag is covered by 
multiple detectors, we use the highest rank available. Note that this strategy is a generalization 
of ranking collectors according to the numbers of bit-one positions discussed in Section IV-B| 
as it additionally considers the possible different numbers of dummy tags around each collector. 


Impact of pthre- Figs. |l(a)| to |l(d)| show the object security in terms of the real detector’s normal¬ 
ized rank, tag-communication overhead, tag-computation overhead in the number of hash com¬ 
putations performed, and detector-communication overhead of the basic and advanced schemes, 
respectively. Since the basic scheme is not affected by p thl . e (the p-value threshold), its perfor¬ 


mance is plotted for reference only. We can see from Fig. 1(a) that as p thre increases from 0 to 
0.3, the real detector’s normalized rank under the advanced scheme increases from around 0.1 
to 0.4. This is anticipated, as the higher p t hre, the fewer real positions polled in each polling 
round, the smaller the gap between pi and p \, the lower the rank of the real detector, the higher 
object security, and vice versa. In addition, we can see from Figs. 1(b) to |l(d)| that the tag- 
communication overhead, tag-computation overhead, and detector-communication overhead of 
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the advanced scheme all increase as p thrc increases. The reason is that higher p thre leads to fewer 
real positions polled in each round and thus more polling rounds needed to locate the lost object. 
Moreover, the advanced scheme incurs higher tag-computation overhead than the basic scheme, 
as the advanced scheme requires more polling rounds than the basic scheme and thus each every 


tag to perform more hash computations. Finally, Figs. 1(b) and 1(d) show that the advanced 
scheme incurs lower tag- and detector-communication overhead than the basic scheme. This is 
of no surprise because much fewer bits are transmitted from each detector to the service provider 
in each round under the advanced scheme. 


Impact of k. Figs. 2(a) to 2(d) compare the basic and advanced schemes when k (the number 


of hash functions) varies from 2 to 20. We can see from Fig. 2(a) that the real collector’s 


normalized rank fluctuates as k increases under both schemes. The reason is that the increase 
in k leads to higher pi for the real detector as well as higher p\ for fake collectors, which 


nevertheless has little impact on the gap between p\ and p\. In addition, Figs. 2(b) shows that 
the tag-communication overhead of both schemes increases with k. The reason is that the larger 
k is, the more slots every tag needs to respond in each polling round, which leads to higher tag- 
communication overhead. In addition, the advanced scheme incurs much lower communication 


overhead than the basic scheme, which is expected. Moreover, we can see from Fig. 2(c) that 
the tag-computation overhead of both schemes increases as k increases and that the advanced 
scheme incurs higher computation overhead. The reason is that the larger k is, the more hash 
computations each tag needs to perform in each polling round. In addition, since we generally 
have 7 < k in the advanced scheme, it requires more rounds to locate the lost tag, while every 
tag needs to perform k hash computations in each round. 


Impacts of /. Figs. |3(a)| to |3(d)| show the object security in terms of the real detector’s normalized 
rank, tag-communication overhead, tag-computation overhead in the number of hash compu¬ 
tations performed, and detector-communication overhead of the basic and advanced schemes, 
respectively. Similar to k, f has very limited impact on the normalized rank of the real detector. 


In addition, we can see from Fig. 3(b) and Fig. 3(c) that the tag-communication and tag- 
computation overhead of both schemes decrease as / increases. The reason is that the larger /, 
the fewer polling rounds needed to locate the lost tag, the lower tag-communication and tag- 
computation overhead for both schemes, and vice versa. In addition, the advanced scheme incurs 
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lower tag-communication overhead but higher tag-computation overhead. Moreover, we can see 
from Fig. |3(d)| that the detector-communication overhead of the advanced scheme decreases as / 
increases. The reason is that in each polling rounds, each detector needs to transmit a u -bit vector 
which is not affected by /. Fewer polling rounds thus lead to lower detector-communication 
overhead. In contrast, the detector-communication overhead of the basic scheme remains stable 
as / increases. The reason is that the detector-communication overhead of the basic scheme is 
the product of the number of polling rounds and the frame length. Since the increase in / leads 
to the decrease in the number of polling rounds, the detector-communication overhead of the 
basic scheme is relatively stable. 


Impacts of l o. Figs. 4(a) to 4(d) show the impact of c u on the advanced scheme, where the 


performance of the basic scheme is plotted for reference only. We can see from Fig. 4(a)| that 
oj has very limited impact on the object security. In addition, we can see from Figs. 4(b)| to 


4(d) that the tag-communication and detector communication overhead both increase and the 


tag-computation overhead decreases as u increases. 


VII. Conclusion 

This paper presented the design, analysis, and evaluation of SecureFind, the first secure and 
privacy-preserving crowdsourced object-finding system. In particular, we first introduced a basic 
scheme which provides strong object security at the cost of system efficiency, and then presented 
an advanced scheme to strike a good balance between object security and system efficiency. 
Detailed simulations confirmed that SecureFind can enable very fast and efficient object finding 
while ensuring the security of the lost object and also the location privacy of the mobile users 
participating in object finding. 

There are still many open challenges to tackle. For example, in our current design, all the 
mobile detectors in the target area specified by the object owner need to participate in object 
finding. Since some of them may have overlapping coverage, there may be significant room 
for reducing the communication and computation overhead. One possible solution is to let the 
service provider select the minimum number of mobile detectors that can jointly cover the target 
area. This solution, however, requires the service provider to know more accurate locations 
of mobile detectors. Such tradeoff between system efficiency and location privacy deserves 
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careful investigation. In addition, our current design assumes that mobile detectors are honest-but- 
curious. There may be dishonest mobile detectors who report fake search results to earn reward 
without actually performing the object search. How to catch and then punish such dishonest 
mobile detectors is nontrivial and may conflict with the location-privacy requirement of mobile 
detectors. We hope that this paper can stimulate further interest in crowdsourced object finding 
and other exciting mobile crowdsourcing applications. 
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